tag:www.schneier.com,2015:/blog//2/tag:www.schneier.com,2005:/blog//2.604-2015-02-17T07:18:30ZComments for Leon County, FL Dumps Diebold Voting MachinesA blog covering security and security technology.Movable Typetag:www.schneier.com,2005:/blog//2.604-comment:31172Comment from Brantl on 2005-12-22Brantl
The only thing that is going to trump the vulnerability of an anonymous un-voter-traceable-vote is a way to verify your vote, and if it's been altered, have the legal right to correct it. I strongly suspect that vote-flipping or loads of false presets (so the initial count isn't zero) is how voting is being cheated most significantly. Vote suppression is probably the next best and from there, who knows. Vote suppression needs to be handled by LAW. Allocation of voting booths need to be covered by LAW. But nothing protects a vote that the voter can't be sure of how or even IF it was counted. I'm getting beaten up (over at Black Box Voting) for saying that voters should get a legally binding copy of their ballot with an ID number on the ballot, so that they can check how it's recorded and take it back to get it corrected. Read there if you want all the details. But your vote is incredibly vulnerable if you have an untraceable-by-the-voter ballot. I don't see a way around this. I think you can have your country, or you can have your untraceable vote. I'm not saying it can't be anonymous, but it can't be untraceable.]]>
2005-12-23T05:09:23Z2005-12-23T05:09:23Ztag:www.schneier.com,2005:/blog//2.604-comment:31145Comment from Ron Crane on 2005-12-22Ron Crane
Adding "paper trails" and opening voting machine software to public scrutiny is *insufficient* to prevent malicious vendors, or malicious employees of vendors lacking sufficient internal and external controls, from cheating. A malware loader embedded in firmware (e.g., BIOS, FPGA, ASIC), combined with a communications device or hidden data storage (e.g., steganographic encoding) allows a malicious vendor to load any program or data it wishes into its machines during the election. This works even if the voting application and operating system are completely honest and are properly and honestly installed in the voting system.

]]>
2005-12-23T02:23:29Z2005-12-23T02:23:29Ztag:www.schneier.com,2005:/blog//2.604-comment:30629Comment from Roger on 2005-12-21Roger
@BE6-II:
Sorry for the late reply, I only just noticed your question:
"How are the counted totals send from the polling stations to something more central? If the answer is "by phone", then does everyone remember the story of las Vegas hotels and or escort services or groups like that? ..."

In my country (Australia), which uses paper ballots, I don't know if any other methods are employed, but one method is that as results are called in, they are displayed on an indicator board which (along with talking heads commentary, similarly to the US) is broadcast continuously by the national broadcaster (both terrestrial and satellite networks) and every half hour or so on the commercial networks. I think they also do radio coverage. So if such an attack was mounted it would be discovered within minutes unless the attacker could take out all the terrestrial and satellite networks at once.

Even if they did manage to do that, it would be discovered the next mornign when the newspapers published the district-by-district breakdowns; a recount can still be called at that point.

"Of course the paper record that is send trough a rightfully trusted channel after the results are phoned in is religiously triple-checked for every polling station even though this is a very boring glamorousless job (Its already known who won) that just always results in records matching... right?"

Yes, actually it is checked -- and considerably more than triple checked. Note merely a paper total but ALL the actual ballots are delivered to divisional offices under seal for their FOURTH counting. Then under certain conditions there may be a fifth scrutiny. All of these scrutinies, at local polling places and divisional offices, are checked by election officials, scrutineers (who are political party appointees and usually quite eager to find a discrepancy if they are not winning), and sometimes also by academics. Despite all this checking most electorates have a final result by 8 pm -- but the final result is not the end of it! In fact while individual ballots may eventually be destroyed the rest of the records have to be kept forever and quite apart from the scrutineers, various scholars analyse them five ways to Sunday. Most elections result in several academic papers worth of analysis.

]]>
2005-12-21T10:28:01Z2005-12-21T10:28:01Ztag:www.schneier.com,2005:/blog//2.604-comment:30025Comment from BruceGDC on 2005-12-16BruceGDC
Some thoughts from this conversation:

1) I don't think that *any* electronic vote tallying system can be trusted. This includes open source systems.

Why? Because there are too many points to jigger the system - is the software that's loaded on *this* voting machine the correct version? How do you prove it? How about the central tallying point? The communications point between them? Do we have enough genius CS types around to adequately verify the integrity? And what of the next genius who comes up with a way around the system? (hmm.. howabout a hacked video chip that catches the results & changes them to the screen.... the program is performing perfectly, but the hardware's been hacked.. not *that* far-fetched).

2) The core problem here is that there's nobody who has enough of a view for a check/balance system. Someone hacks the ATM and banking networks, there's someone who has enough of a view of the transactions to say "hey - I can see a discrepancy" - because both parties to the transaction sets have complete records, or close enough. In an election, there's a single outcome (for each race/proposal), that takes millions of inputs to come to the answer, and there's not the second trail. Having multiple counting mechanisms (scrutineers - see my note above) gives that check & balance - the various interested parties have their own intermediate results, aggregated by their folks from visible single results, and can check that the summary from each sub-group is valid, and the overall numbers are also valid. No electronic system will provide that - it takes multiple humans observing the same event to provide the balance.

]]>
2005-12-16T21:14:53Z2005-12-16T21:14:53Ztag:www.schneier.com,2005:/blog//2.604-comment:30019Comment from Bruce Schneier on 2005-12-16Bruce Schneierhttp://www.schneier.com/blog
"You are referring to people's assemblies in some Swiss states, called Landsgemeinde."

Thanks for the info.

]]>
2005-12-16T20:41:46Z2005-12-16T20:41:46Ztag:www.schneier.com,2005:/blog//2.604-comment:30017Comment from piglet on 2005-12-16piglet
"I believe some parts of Switzerland have open elections."

You are referring to people's assemblies in some Swiss states, called Landsgemeinde. Those assemblies are the traditional, low-tech way of reaching democratic decisions, adequate of course only to very small populations. I think they have now been abolished almost everywhere. There are interesting arguments pro and con. The vote counting wasn't always accurate - try to count accurately several thousand raised hands. On the other hand, some have pointed out the unique experience of people's sovereignity. Of course, women were admitted to those assemblies only about one generation ago.

]]>
2005-12-16T20:38:00Z2005-12-16T20:38:00Ztag:www.schneier.com,2005:/blog//2.604-comment:29989Comment from Bruce Schneier on 2005-12-16Bruce Schneierhttp://www.schneier.com/blog
"ok, i give up, for now, i wasn't able to muster any supporters. in the anonymity/security tradeoff i usually support anonymity, but elections are different, and i'm willing to risk the intimidation of 10-20 percent of the voters in return for an absolutely transparent, secure vote count, because public confidence in the result is so very important to our ability to continue to function as a republic."

I disagree with this, but it's not an unreasonable position. I believe some parts of Switzerland have open elections.

And I have argued that the popularity of the mail-in ballot makes vote buying more likely, and we seem willing to give up that bit of security for convenience.

]]>
2005-12-16T19:23:48Z2005-12-16T19:23:48Ztag:www.schneier.com,2005:/blog//2.604-comment:29980Comment from another_bruce on 2005-12-16another_bruce
@piglet, artappraiser
ok, i give up, for now, i wasn't able to muster any supporters. in the anonymity/security tradeoff i usually support anonymity, but elections are different, and i'm willing to risk the intimidation of 10-20 percent of the voters in return for an absolutely transparent, secure vote count, because public confidence in the result is so very important to our ability to continue to function as a republic. i lost my confidence some time ago, and i fear that we lost our republic under the cloak of anonymity (florida 2000, ohio 2004). once the notion that a president could have illegitimately taken power becomes plausible, never mind proved, a citizen's willingness and ability to function as part of a national community is utterly degraded. we become 100,000 balkanized communities; at least in my community people stand up to be counted on the important things, and we don't wear bags over our heads. i had heard of republics being lost at gunpoint, but as a younger man i would have scoffed at the notion that we could be undone by proprietary software. if i ever get the chance to vote on whether oregon should secede from the union, i'll probably vote yes, i can no longer say with confidence that this union is worth the time, trouble, effort and expense needed to keep it together. ]]>
2005-12-16T18:47:01Z2005-12-16T18:47:01Ztag:www.schneier.com,2005:/blog//2.604-comment:29905Comment from piglet on 2005-12-16piglet
@another_bruce: "yes, the nazis paraded around in public, but they were in the company of kindred spirits so there was little risk." I don't know what you are trying to say. The point I would like to emphasize is simply that you cannot discuss this question without taking power into account. You say it's a good thing if people are being "watched by friends of whose opinion they care". That is true to an extent, but we are not only watched by benign friends. We are also being watched by employers, by government, by those who have power and who don't want to lose it. Even within families, relationships are shaped by power,as artappraiser has pointed out correctly. Maybe this is something libertarians don't like to talk about. In modern society, anonymity is an indispensable protection for the individual, especially concerning elections.]]>
2005-12-16T14:35:07Z2005-12-16T14:35:07Ztag:www.schneier.com,2005:/blog//2.604-comment:29885Comment from Laird Popkin on 2005-12-16Laird Popkinhttp://www.openvotingconsortium.org/
Erik V. Olsen says: "The only acceptible use, in my view, for an electronic voting machine is to make it easier to produce clean, countable, paper ballots."

This is a great one-line summary of the approach advocated by the Open Voting Consortium. To elaborate:

The Open Voting Consortium (OVC) is a non-profit organization dedicated to the development, maintenance, and delivery of open voting systems for use in public elections.

The San Jose Mercury News has written that the OVC system is "The touch-screen holy grail."

]]>
2005-12-16T13:13:00Z2005-12-16T13:13:00Ztag:www.schneier.com,2005:/blog//2.604-comment:29880Comment from BruceGDC on 2005-12-16BruceGDC
One thing I see missing in this discussion, particularly around paper ballots is the concept of the "scrutineer" - people who are there from the interested parties or candidates who watch the counting. This makes paper ballots counted by hand the *most* secure and accurate methodology. I gather that the Canadians have moved away from this in the past couple of decades, but that's what wored very well there - representatives from each party were present during the day while the elections went on, and observed the ballot box being sealed in the morning, empty. Any chicanery would require the collaboration of people who do not have a vested interest in the chicanery (assuming there's coverage from all parties..) or it could be reported immediately and investigated.

When the ballot box is opened, the ballots are visible to all the scrutineers, and they tally the results independently, reporting the totals back to their party /candidate - this prevents fraud at the central tabulating site, since the vote counts from each poll are known to each of the parties independently.

Could it be hacked? Not easily. Is it more expensive than having insecure electronics? Maybe - it works best with polling stations in the hundreds of people rather than the thousands that seem to be the norm here - but it is verifiable, reproduceable and secure from wide-scale indetectable tampering.

]]>
2005-12-16T12:36:00Z2005-12-16T12:36:00Ztag:www.schneier.com,2005:/blog//2.604-comment:29839Comment from artappraiser on 2005-12-16artappraiser
> anonymity is overrated in elections.

Bullshit. Ask any woman married prior to like 1960 about husbands expecting wives to vote a certain way or else.

Or ask someone like a Hasid if he'd like the rebbe to know how he didn't vote the way the rebbe told everyone to.

People with power over other people tell them how they should vote; it's just a simple fact. Without anonymity, they will not be able to vote their conscience and it is not "one man, one vote," but tribal voting.

While this is not to say that Diebold machines were/are rigged, the apperance if electoral fairness is rather lacking when the guy who builds the voting machines has 'committed' himself to putting a specific candidate in office. The fact the American people did not run Diebold out of the voting machine business on a rail after that little misstep is of far more consequence to American democracy than the finer points of electoral technology. If the people don't ensure that the voting process is above reproach, there's no point in freting over what technology one uses to move the deck chairs on the sinking ship of state.

]]>
2005-12-16T04:46:43Z2005-12-16T04:46:43Ztag:www.schneier.com,2005:/blog//2.604-comment:29784Comment from another_bruce on 2005-12-15another_bruce
@pat calahan
>That's an interesting proposition, but I don't know that you can back it up.
you are correct. it isn't testable, provable like a mathematical theorem, it's just a conjecture based on underlying concepts i can't rigorously describe, but i damn well recognize when i see them:
right and wrong
shame and conscience
id and superego...
i am not a saint, and it is my personal experience that temptation is muted when i'm being watched, particularly by my friends whose opinion of me i care about.
>Certainly it's the case here in the U.S. that the more extreme "political parties"
(e.g., neofascists and the current iteration of the KKK) make no bones about their membershio.
my guess is they keep a lid on that during job interviews and first dates.

i believe you have mischaracterized libertarian conservatism (that's me), it isn't about game theory. it's about maximum personal liberty and minimum government. it's also about fiscal responsibility, environmental stewardship and peaceful relationships incentivized by the deterrent of a strong defense.
@piglet
yes, the nazis paraded around in public, but they were in the company of kindred spirits so there was little risk. the day we have to fear the "ruling classes" on account of our votes, we lose the last vestige of our common ground as americans. i'm not sure if i'm a member of the ruling classes, a potential insurgent, or both at the same time.

]]>
2005-12-16T02:56:29Z2005-12-16T02:56:29Ztag:www.schneier.com,2005:/blog//2.604-comment:29766Comment from piglet on 2005-12-15piglet
"Australia has 10% of the population of the US, and significantly higher literacy rates. What works in one place may not necessarily work the same way somewhere else. Australia has consistent voting laws and requirements across the whole country. The US has different regulations, practices and supervision in different states and even counties."

The population size doesn't matter. You have to consider the cost per capita, which is not affected by population size. I think you are right, though, regarding consistent regulations. I find it not acceptable that US voters are treated differently depending on their geographical location. Shouldn't this be obvious?

]]>
2005-12-16T00:13:16Z2005-12-16T00:13:16Ztag:www.schneier.com,2005:/blog//2.604-comment:29765Comment from piglet on 2005-12-15piglet
"US elections are more complex. In my town, when we voted for President, we also voted for: the local city council, the mayor, two levels of state representatives, district attorney and state attorney general, a governor, lt. governor, a US congressman and senator, as well as nearly 20 ballot initiatives. There were 15 pages on the ballot - marked with a pencil, read optically. In California, they can get over 100 ballot initiatives per election. It is highly unwieldy. Do other countries have separate local elections?"

There are countries which have similarly complex systems, but I know of none where all elections are concentrated on one day. Why should you? In Germany, state and federal elections are sometimes on the same day but not in general. There are also European and local elections (municipality, county and district usually on the same day).

Asking voters to decide up to 100 questions in one vote seems crazy to me. The technical difficulty can be solved but I'd be worried about the democratic process - how can you have meaningful campaigns about so many different questions at the same time, and how can you expect even the most effective citizen to remember them all? The Swiss vote up to four times a year, for this very reason.

]]>
2005-12-16T00:06:12Z2005-12-16T00:06:12Ztag:www.schneier.com,2005:/blog//2.604-comment:29763Comment from piglet on 2005-12-15piglet
"Here in Loudoun County, VA, we use an optical scan system which allows for instant machine-handled tabulation but provides a way for me as a voter to look and verify I indicated my intent correctly and for any recounts to be done by hand against my original indications."

You mean there's a paper ballot? If yes, then I agree it's a good idea.

]]>
2005-12-15T23:48:43Z2005-12-15T23:48:43Ztag:www.schneier.com,2005:/blog//2.604-comment:29762Comment from piglet on 2005-12-15piglet
@another_bruce: "i don't believe there would have been a Reich at all if the brown shirts had to wear name tags above their shirt pockets. voting is a public act fraught with responsibility, but as yet no accountability due to anonymity."

I don't think so. Nazi activists were usually very well known and didn't care to hide their political affiliation. Remember, they fancied wearing those uniforms in public. Maybe not with name tags but they hardly stayed anonymous that way. They used to hold big parades (other parties did that too, and some had uniforms, too). Moreover, the "respectable" conservative and nationalist parties, as well as important parts of the ruling classes and the capitalists, formed alliances with the Nazis - sometimes holding their noses - as soon as they had become a political factor. The President who finally gave the power to Hitler (who was not representing a popular majority) was acting exactly as the representative of the ruling classes. Abandoning election anonymity would only shut out political movements which are unpopular with the ruling classes. There's no reasonable case for that, and the nazis are certainly not a case in point.

]]>
2005-12-15T23:46:37Z2005-12-15T23:46:37Ztag:www.schneier.com,2005:/blog//2.604-comment:29757Comment from stacy on 2005-12-15stacy
try this link...

The part I found the most interesting is that the American media is just not interested in covering this story.

]]>
2005-12-15T22:43:04Z2005-12-15T22:43:04Ztag:www.schneier.com,2005:/blog//2.604-comment:29746Comment from pdf23ds on 2005-12-15pdf23ds
"there is an underlying assumption that the human masses always respond to issues following the principles of game theory (ie, there is no free rider problem,"

Game theory can account for the free rider problem, can't it?

]]>
2005-12-15T20:29:20Z2005-12-15T20:29:20Ztag:www.schneier.com,2005:/blog//2.604-comment:29741Comment from Gary on 2005-12-15Gary
I figured it out. Get every voter's fingerprint at registration. Store somewhere secure. At election time, cut off a finger corresponding to their electoral choice. Sort the fingers for counting; store for verification. Can be authenticated against the fingerprint database. Only works for one election, unfortunately.]]>
2005-12-15T19:45:36Z2005-12-15T19:45:36Ztag:www.schneier.com,2005:/blog//2.604-comment:29740Comment from Henning Makholm on 2005-12-15Henning Makholmhttp://henning.makholm.net/
"How are the counted totals send from the polling stations to something more central? If the answer is "by phone", then does everyone remember the story of las Vegas hotels and or escort services or groups like that? They claimed their telephone calls where inexplicably redirected to their competitors. Do telephone poles get barbed wired during election time?"

The people doing counts phone in the numbers after having written down the results on a piece of paper they keep in their physical possession. The office that adds up all the numbers publicise the numbers they have added (identified by polling place). Afterwards the counters verify at their leisure that the public numbers match the ones they phoned in.

Simple.

And pretty much impossible to tamper with without either being found out, bribing all of the counters at some site, or stipulating an adversary with the power to make the counters receive _different_ falsified versions of the offical record of the election.

]]>
2005-12-15T19:41:25Z2005-12-15T19:41:25Ztag:www.schneier.com,2005:/blog//2.604-comment:29738Comment from piglet on 2005-12-15piglet
"The problem is that in the US, elections are a LOT more than just electing the president/vp, a senator and a representative. There is a gazillion of choices, so voting itself doesn't scale too well."

Good gracious, do we have to go through this nonsense again? It's bullshit. Voting does scale well, if you want it. What does not scale well is electronic voting. This happened in Ohio 2004 and elsewhere: there were simply not enough voting machines in certain counties, and many machines were not functional because of technical problems so voters had to wait for hours or go home and renounce their right to vote. This doesn't happen in paper and pencil elections. Basically, it only happens in the United States of America, apart from poor developing countries which don't have enough resources (and sometimes not yet enough experience) to better organize their elections. It certainly doesn't happen in European countries which use paper ballots.

As to the argument about the many choices in US elections: The Swiss people elect almost every official imaginable, on every level imaginable, plus they vote on almost every law on the federal, state and municipal level. They manage all right, with votes usually every three months. Many other countries have many choices on at least three different levels of government, if not as many as the Swiss. There is no inherent reason why the US among all countries shouldn't be able to have clean and verifiable elections.

]]>
2005-12-15T19:14:36Z2005-12-15T19:14:36Ztag:www.schneier.com,2005:/blog//2.604-comment:29737Comment from Kurt on 2005-12-15Kurt
The proper role of electronic voting machines is to replace the pen, not the ballot.

That way e-voting can help with accessibilty concerns, etc., while still remaining verifiable. If you want electronic counting as well, have seperate companies make ballot counting machines. In the event of a discrepancy between the voting machine's total and the ballot counting machine's total, hand recount the ballots. And, audit (recount) a percentage of machines at random as well.

]]>
2005-12-15T19:12:02Z2005-12-15T19:12:02Ztag:www.schneier.com,2005:/blog//2.604-comment:29736Comment from Mississippi Burning on 2005-12-15Mississippi Burning
@EL
"I think the anonymity we require here is anonymity of what you voted for, not who is voting."

Both are needed. There are often times in disputed elections when simply knowing that someone has or hasn't voted can be used to intimidate them. Heck, in my lifetime people in the US have been killed for trying to merely register people to vote. And episodes of racially based voter intimidation continue to this day.

That depends on whether or not you believe that a public vote would have prevented the Nazis from coming to power. If a public vote would not prevent the Nazis from coming to power, then I think my conclusion is fairly defensible.

> i don't believe there would have been a reich at all if the brown shirts had to wear
> name tags above their shirt pockets.

That's an interesting proposition, but I don't know that you can back it up.

> anonymity nurtured national socialism in its larval and pupal stages before it
> gained the critical mass where it could erupt.

I don't know that this is true. Certainly it's the case here in the U.S. that the more extreme "political parties" (e.g., neofascists and the current iteration of the KKK) make no bones about their membership. Usually the members of these sorts of parties are public and vocal, not anonymous at all.

Of course, I don't know if this was the case vis-a-vis Hitler's brownshirts, but you'd have to present some sort of evidence that they enjoyed anonymity.

Public shaming is not always an effective tool in deterring socially aberrant behavior.

Safire proclaims himself to be a libertarian conservative, and (IMO) one of the weaker elements of libertarianism is that there is an underlying assumption that the human masses always respond to issues following the principles of game theory (ie, there is no free rider problem, people always follow their best interests). This is not always the case.

]]>
2005-12-15T19:05:30Z2005-12-15T19:05:30Ztag:www.schneier.com,2005:/blog//2.604-comment:29734Comment from Paul Crowley on 2005-12-15Paul Crowleyhttp://www.ciphergoth.org/
"The only acceptible use, in my view, for an electronic voting machine is to make it easier to produce clean, countable, paper ballots."

I think it's acceptable to report the electronic totals after the polls close but before the paper count being complete, which provides instant feedback that will in most cases be a good predictor of the true result.

"Isaac Asimov wrote a short story, "Franchise," which took that premise to the extreme"

The interesting thing is that if you choose that person entirely at random, it's a fair system by some definitions, and the only one in which the voter has no incentive to misrepresent their true preferences - ie there is no "tactical voting" in this system.

]]>
2005-12-15T18:53:05Z2005-12-15T18:53:05Ztag:www.schneier.com,2005:/blog//2.604-comment:29733Comment from Don on 2005-12-15Donhttp://www.donwhiteside.com
"Optical scan machines are the most reliable machines we've got right now."

What I don't understand is what more do we need? Or more to the point, what more is there we could do that isn't far outweighed by the downsides?

]]>
2005-12-15T17:53:46Z2005-12-15T17:53:46Ztag:www.schneier.com,2005:/blog//2.604-comment:29726Comment from Jim Hyslop on 2005-12-15Jim Hyslophttp://www.dreampossible.ca
@Redbob: "The near-silly include "AG's" suggestion that we just check votes by statistical analysis.
If we wanted to do that, why not just suspend voting altogether and simply do polling, declare the winner based on statistical sampling?"

Isaac Asimov wrote a short story, "Franchise," which took that premise to the extreme: in the story, statisticians would look for one person who represented the views of the US, and the entire voting process consisted of that one person walking into the booth and making his selection. Nobody else voted.

Interestingly enough, apparently Asimov wrote the story after the Univac computer was used to predict the outcome of the 1952 Presidential election, based on statistical information it had been fed (http://www.asimovians.com/bookreviews.php?op=showcontent&id=77)

]]>
2005-12-15T16:58:20Z2005-12-15T16:58:20Ztag:www.schneier.com,2005:/blog//2.604-comment:29715Comment from Tim Vail on 2005-12-15Tim Vail
I would question the ability of any particular system to really enforce anonymity if someone is really intent on buying votes. The machine itself can only do so much, beyond that, the buyer can use methods independent of the machine to violate anonymity.

For example, hand you a cell phone or camera with video capability, watch you go into the poll. Then demand to see a live streaming video of everything that goes in that voting booth. Then there goes the voter's anonymity. If the person doesn't comply, they don't get paid, or worse.

]]>
2005-12-15T15:35:41Z2005-12-15T15:35:41Ztag:www.schneier.com,2005:/blog//2.604-comment:29705Comment from Ed T. on 2005-12-15Ed T.http://www.etee2k.net
I see several benefits to an electronic voting system:

1) Elimination of the problem with printing too many ballots (the blanks could be marked up and used to rig the election) or not enough ballots (in which case people show up to vote, and have to cool their heels while ballots are printed/shipped to the polling site. Some give up in disgust and leave.)

2) The ability to support multiple languages (by law where I live some precincts have to have ballots printed in up to 5 different languages), as well as methods used by some disabled individuals (e.g. Braille.) In the USA, the Americans with Disabilities Act mandates voting equipment that is 'handicapped-accessible.'

3) The ability to provide a count quickly, with a minimal amount of human handling of the ballots. If I recall, part of the problem with the 2000 Florida recounting was that each time the ballots were handled, more of the 'hanging chads' separated from the ballots, leading to further confusion as to what the 'voter intent' was. Also, remember that each time humans touch the ballots that 'extra' ballots can be introduced into the count. This would be especially problematic in some of our elections, where questions are on the ballot that special groups have a serious economic interest in (just look at this year's Consitutional amendments for the state of Texas to get an idea of what I am talking about.)

4) Elimination of the 'two votes' problem, where someone (either mistakenly or on purpose) marks two choices on a particular ballot item. This normally results in the person's vote not being counted (as it should, since you can't discern voter intent under these circumstances.)

That being said: I do think that it is paramount that the process be robust enough to provide assurance that 'voter intent' is registered accurately. Paper backup is certainly one method of accomplishing this, but not necessarily the only method (and maybe more than one such audit trail should be used to provide independent confirmation.)

I actually used the eSlate system in the last election, and it was easy enough to use. It provides both paper and electronic audit trails, according to information provided by the Travis County county clerk's office.

The ballot system (whether electronic or paper or whatever) is simply a tool for a person to record their wishes. In the photographic world, we have a saying "It is the image, not the camera, which makes a good photograph." I would say the same holds true for elections: the voting system is a means to reach an end, not the end in itself.

-EdT.

]]>
2005-12-15T14:13:14Z2005-12-15T14:13:14Ztag:www.schneier.com,2005:/blog//2.604-comment:29700Comment from Akos on 2005-12-15Akos
>Otherwise, vote buying is far too effective (at least with anonymous votes, you can be "bought" but not actually vote the way the person paying you wants).

The way it works with paper votes is that somebody takes out an empty voting form.
The "correct" vote is marked.
Then the person who sells their vote goes in, leaves the premarked sheet, and brings out an empty instead.
This way the buyer can make sure that they payed for the correct vote (or at least for an invalid vote, but surely not a vote for the oposition)

]]>
2005-12-15T14:02:01Z2005-12-15T14:02:01Ztag:www.schneier.com,2005:/blog//2.604-comment:29699Comment from Redbob on 2005-12-15Redbob
Lots of interesting comments here, and a couple borderline silly ones:
The near-silly include "AG's" suggestion that we just check votes by statistical analysis.
If we wanted to do that, why not just suspend voting altogether and simply do polling, declare the winner based on statistical sampling?
Point 2: Where would statistical sampling have come out on President Bush's 300 or so vote margin of victory in Florida in '00?
Final silliness: the suggestion that a book by John Conyers be used to study the Ohio vote in '04! Can that person even pronounce "Agenda?"]]>
2005-12-15T13:58:30Z2005-12-15T13:58:30Ztag:www.schneier.com,2005:/blog//2.604-comment:29691Comment from haro on 2005-12-15haro
Prioritize:
- Safe and secure elections.
- Result within a short time.
- Elections with a huge number of items.

You are looking at it the wrong way, it is from one perspective an excedingly good solution.

The man that owns the company that makes these voting machines is (I have been told) a "dyed in the wool" Rebublican, and makes significant campaing contributions.

There is also I understand preasure from the current administration to go "HiTec" ie by these electronic voting machines.

On the face of it it appears to be the usuall "you scratch my back" arangment which I privately call something alltogether different.

At this point it is very much like any other "campain kick in" arangment, however there have been some more worrying things reported.

I have seen several postings around the Inet about analysis of votes cast where these electronic machines are used and where they are not, and there appears from what has been published to be some significant variance. Sufficient it appears to have made sufficient difference to have changed the result of the presidential selection...

Now if the above is true then you realy do have a very very good outcome for one or two people...

]]>
2005-12-15T12:30:40Z2005-12-15T12:30:40Ztag:www.schneier.com,2005:/blog//2.604-comment:29684Comment from eatdd on 2005-12-15eatdd
@Jim Hyslop
"So, if I read this right, Hursti pre-loaded a total of 10 votes: +5 "Yes" and -5 "No." The algorithm seems to be: add up all the votes and ensure the total is zero."

The algorithm is whatever Husrti says it is. That is the whole design flaw. You would expect they put a non executable page layout on the memory cards where code from the machine fills in the results at the (many and diffrend with every election) right places during printout. That would mean that as long as the results (name and # votes) are in the right order nothing fancy heaponed. (Maybe you could still swap names)

Instead the printoud is done by an interpreted "accubasic" routine that is stored on the memory card without any protection against tampering. This makes the machines very future proof. but it also means you can just put a routine there that reports there are 2600 votes for everyone when there are zero (or -100 or whatever) and that reports cowboyneil has won once the results are printed (regardless of wheither he was on the ballot or not). You can also make the display of the machine read "your so 0wn3d" I guess.

It would be really cool of these accubasic routines also had control over any speakers or mechanical parts of the system. Sadly, undetectably faking results may
convince less people that the machine is broke beyond repair than clouds of smoke and noises ;-)

"US elections are more complex. In my town, when we voted for President, we also voted for: the local city council, the mayor, two levels of state representatives, district attorney and state attorney general, a governor, lt. governor, a US congressman and senator, as well as nearly 20 ballot initiatives. There were 15 pages on the ballot - marked with a pencil, read optically. In California, they can get over 100 ballot initiatives per election."

It is this variation that makes the whole US electoral system unscalable and unsustainable in my view. In Australia (my sole area of electoral experience), we have separate Federal, State and local elections. It is incredibly rare to have anything other than the election of those representatives on the ballot sheet. I may be incorrect, but I believe that the only time that this happens is a referendum relating to constitutional change (which requires >66% majority).

It is also ONLY those representatives that we are electing - not their leaders. Out of what you listed, the positions that we elect people into are: a Federal representative for the local area (into the House of Representatives); a few Federal representatives per state (into the Senate); similar things on a smaller scale for each state (in separate elections - often a couple of years apart from the federal elections); local government councillors.

That's it.

]]>
2005-12-15T12:02:08Z2005-12-15T12:02:08Ztag:www.schneier.com,2005:/blog//2.604-comment:29681Comment from Pauld on 2005-12-15Pauld
Troy, I stand corrected.

What I should have said is that the paper ballot/box setup is used ~98% of the time. This differs from the US where some states use Diebold machines, others use optical machines, some use punch cards.

I don't understand the obsession with electronic voting machines. It's a bad solution looking for a problem.

]]>
2005-12-15T11:56:36Z2005-12-15T11:56:36Ztag:www.schneier.com,2005:/blog//2.604-comment:29679Comment from Anony Mouse on 2005-12-15Anony Mouse
@Pauld
Australia has 10% of the population of the US, and significantly higher literacy rates. What works in one place may not necessarily work the same way somewhere else. Australia has consistent voting laws and requirements across the whole country. The US has different regulations, practices and supervision in different states and even counties. In Australia, everyone answers the same questions at an election - "Who do you want to represent you?". There may possibly be a referendum question as well - like "should the head of state be a middle-aged woman in a country on the opposite side of the world?" but even then, everyone answers that question too.

In the US, there may be many other questions put to voters that are irrelevant to the election, but convenient to ask at that time, since they're going to be at the polling booth anyway. These questions vary by location

@Troy Laurin
ACT is not an Australian State - it's a territory that is essentially an adjunct to the Federal government - and anything that happens there is generally treated like a test case (similarly to the Northern Territory which recently had euthenasia laws overturned by the federal government). I find it amusing that between you and Pauld, you managed to quote from the two non-states in Australia.

]]>
2005-12-15T11:39:42Z2005-12-15T11:39:42Ztag:www.schneier.com,2005:/blog//2.604-comment:29676Comment from BE6-II on 2005-12-15BE6-II
With all the polling station talk you kind of start wondering about the security of the rest of the system.

How are the counted totals send from the polling stations to something more central? If the answer is "by phone", then does everyone remember the story of las Vegas hotels and or escort services or groups like that? They claimed their telephone calls where inexplicably redirected to their competitors. Do telephone poles get barbed wired during election time? Are telephone switches more secure since the Mitnick days and is employee screening improved at telco`s? (Not that screening will help, if you are after an election you dont want an accomplice with a record or bad reputation now do you? if only for the double crossing risk.)

Of course the paper record that is send trough a rightfully trusted channel after the results are phoned in is religiously triple-checked for every polling station even though this is a very boring glamorousless job (Its already known who won) that just always results in records matching... right? Even after lots of money has been spend on voting machines and cutbacks are going on everywhere else... right?

There are the stories of a (married?) couple of white people dressed as hippies (sans beard/long hair/sandals though) waving banners praising Kerry for his homo and abortion friendly policies in a predominantly religious black district, and driving away in a big SUV after being asked to move. There is little doubt that there is the perceived risk of people from whatever organization playing dirty in the US.

Looking at the company that is accused of stock fraud, has higher ups being openly partisan to the point of vowing to bring a candidate a victory in a fundraising context, has cheated at certification, uses way to complex hard and software (I mean MS access? my free pocket calculator can count and doesn't overflow at 64.000!), needs its own compiler and interpreter and sells ATM's that spontaneously turn into nothing but windows media player based jukeboxes... well looking at them is a sensible first move.... but there are other risks you know. You can't plan a diversion that perfect though.

For the record, my stance:
- Vote secrecy? worth fighting for! If not for the baseball bet wielding criminals then for those whose many neighbors go around the neighborhood/church/school proudly (patriotically?) showing of their proof of vote without explicitly saying they expect you to do the same. Just like last time when someone else wasn't quick enough to explain he didn't tell them how he voted out of principle. he got shunned for a year for not supporting the troops/fight against evil corporations/fight for tuna free dolphin.

- Internet voting? worth fighting against! The attack scenario I liked. Big scary guys with a wireless Internet terminal going door to door, maybe just happening to be offering coupons for free stuff on the side.

- Expecting plain paper to work is reasonable. If there is a problem with it, trying to fix it would seem like the smart thing to do first. How about more counting volunteers to speed things up? (isn't this cheaper than Diebold latest, greatest and shiny-est at this point? What are the part costs of a big LCD touch screen, a windows CE license and the processor to run this on?) Everything but paper is at best gatgetitus of the shiny& colorful kind, or at worst corruption. (There is a least something wrong with machines this expensive being this popular)

- Siplicity, of papertrails and elsewhere? who would have thought that explaining people that engineering stuff as simple as possible is smart could be this complex.

"Electronic is fast, reliable, expensive, and when correctly designed can be tamper proof."

So far, evidence has shown that electronic vote tabulation is fast, UNreliable, expensive, and so far, there has been little interest in making sure that it is correctly designed - and less interest in making sure that it is tamper-proof, as long as it appears to be.

]]>
2005-12-15T10:59:46Z2005-12-15T10:59:46Ztag:www.schneier.com,2005:/blog//2.604-comment:29662Comment from Troy Laurin on 2005-12-15Troy Laurin
"This setup is standard at every polling station in Australia." - Pauld

In the 2001 elections, 80 polling booths (I don't know how many venues that translates to... perhaps 6 or 7?) in the ACT used an open-source electronic voting system with no paper audit trail (to reduce costs).

Interesting to note: One of the companies in partnership with the deal pulled out prior to development, the tender was actually awarded on April 19th, but the company still managed to develop the system in time for it to be tested and audited in time for the October 20 election, and cost less than half a million $AUD including hardware!

It seems that someone in California wants to do the same... I love the quote from a "computing expert" on page 2:
"A crappy open-source system that can be modified readily is no better than a closed-source system. In fact it could be worse," she said. "When you have open-source software, people can modify it and change it however they want."

Because of course, you're going to download the code from a random page on the internet saying "This code has already been checked, no need to certify it before installing on your system".

Or perhaps I'm forgetting the mystical property for open source software to be changed by random people after it's been certified, compiled and installed...

]]>
2005-12-15T08:32:21Z2005-12-15T08:32:21Ztag:www.schneier.com,2005:/blog//2.604-comment:29657Comment from another_bruce on 2005-12-15another_bruce
@pat calahan
your conclusion does not logically follow from your premise.
"[T]here are plenty of examples historically that would indicate that letting your vote be known is a bad idea. In 1932, the Nazi Party won 13,745,000 votes which gave them 230 out of the 608 seats in the Reichstag. Now imagine if that vote was not secret. I imagine there would have been a few more guests at the 'internment' camps..."
i don't believe there would have been a reich at all if the brown shirts had to wear name tags above their shirt pockets. voting is a public act fraught with responsibility, but as yet no accountability due to anonymity. anonymity nurtured national socialism in its larval and pupal stages before it gained the critical mass where it could erupt. there would actually have been *less* guests in those camps if they had existed at all.
to remove the slightest trace of risible irony from this post, i don't mind disclosing my real last name here "murdock" as if dhs couldn't figure out who i was anyway. en garde!]]>
2005-12-15T07:44:29Z2005-12-15T07:44:29Ztag:www.schneier.com,2005:/blog//2.604-comment:29655Comment from Pauld on 2005-12-15Pauld
Troy's description is right on the money.

In Australia, we have an ink graphics core embedded into a 'writing stick' instrument. Using the 'writing stick' or 'pen', the voter marks their vote on the ballot paper, which is then inserted into a sealed ballot box.

"The officials at each polling place are supervised by an officer-in-charge. Their work can also be observed by scrutineers - people appointed by the candidates who have the right to observe the sealing of the empty ballot boxes before the polling place opens and watch out for any irregularities in voting procedures that might disadvantage the candidate they are working for.

After the voting finishes at 6.00 pm, each polling place becomes a counting centre where the ballot boxes are opened and officials sort the ballot papers according to the first preference votes. Again, scrutineers are permitted to watch and they have the right to challenge any ballot paper they believe is informal." [Informal = donkey vote, scrutineer = 1 person from each political party. Scrutineers are not permitted to challenge voters.]

IIRC, 3 people count each vote.

While it is law that voting is compulsory (the fine is ~$100 if you don't vote unless you have a reason), you really only need to turn up to a polling station and get your name marked off.

]]>
2005-12-15T07:08:33Z2005-12-15T07:08:33Ztag:www.schneier.com,2005:/blog//2.604-comment:29654Comment from Chris S on 2005-12-15Chris S
@jammit
"Waitaminnit. Preloaded the card? Has anybody heard of format, checksum, write all zero? How freakin' long does it take to format a flash drive?"

Welcome! I can see you're new here.

I *suspect* that the idea is to have a central machine pre-setup each card so that the card can out to a specific vote-counting device, loads its results, and then bring them back. The idea would be to ensure that the card/contents that went out are the same that came back in.

That's the idea. Apparently its not the implementation.

]]>
2005-12-15T06:54:47Z2005-12-15T06:54:47Ztag:www.schneier.com,2005:/blog//2.604-comment:29651Comment from E L on 2005-12-15E L
"In an anonymous and optional voting system, how do you ensure that no one votes at two different polling places on the same day?" - Troy

I think the anonymity we require here is anonymity of what you voted for, not who is voting.

Coercion works is a factor when other people know what you voted for, but does very little if all they can find out is whether you voted or not.

]]>
2005-12-15T06:09:04Z2005-12-15T06:09:04Ztag:www.schneier.com,2005:/blog//2.604-comment:29649Comment from Troy Laurin on 2005-12-14Troy Laurin
Just a comment and a question regarding anonymity...

Various people have touted anonymous elections as being an important (or mandatory) part of a democratic election (and I agree, in principle), but it seems to open an avenue of abuse... In an anonymous and optional voting system, how do you ensure that no one votes at two different polling places on the same day?

The Australian system is anonymous and mandatory... because of its mandatory nature, each polling place keeps a list of names of people eligible (and registered) to vote in the area, which is marked with attendance (note that anonimity means that your subsequent vote doesn't actually have to be _valid_)... the attendance checklist leaves a paper trail to catch people who voted twice (including absentee ballots, postal ballots, and ballots placed outside your district), as well as people who didn't vote.

There are ideas about using markers to mark the person's body (back of hand, usually?), but I'm sure most people here could quickly think up at least three ways to beat that system. I guess a token based system, like oregon's vote-by-mail makes a lot of sense. There's still the issue of allowing people with no fixed address to vote, but even Australians can dodge the election (for a while) by not registering to vote.

Thoughts?

]]>
2005-12-15T05:13:23Z2005-12-15T05:13:23Ztag:www.schneier.com,2005:/blog//2.604-comment:29643Comment from jammit on 2005-12-14jammit
Waitaminnit. Preloaded the card? Has anybody heard of format, checksum, write all zero? How freakin' long does it take to format a flash drive?]]>
2005-12-15T04:21:09Z2005-12-15T04:21:09Ztag:www.schneier.com,2005:/blog//2.604-comment:29642Comment from Fuzzy on 2005-12-14Fuzzy
@Stuart Young
quote:
The idea behind voting automation is to speed up this counting process.
:endquote

Another selling point to voting machines is that they are supposed to improve accessibility for differently abled people.

]]>
2005-12-15T04:18:41Z2005-12-15T04:18:41Ztag:www.schneier.com,2005:/blog//2.604-comment:29641Comment from Stuart Young on 2005-12-14Stuart Young
Mary says: "It is highly unwieldy. Do other countries have separate local elections?"

In Australia there are usually only 2 or 3 things to vote on. Usually:
Member for the House of Representatives
Member for the Senate
Member for Local Council - occasional (if it happens to fall around the election period - not guaranteed)
Referrendums - rare (eg: Does Australia want to become a republic)

For the House of Representatives, we use a preferential system. You get a list of names for your area (seat), and you place 1 to x values in ALL the boxes (never seen more than about 9 myself), in your order of preference. Any errors, misnumbering or blank sheets are not counted.

For the Senate we have 2 ways to vote (on the same form):
Vote above the line (by party). You only need to cross one box, and you rely on the party you are voting for to handle preferences.
Vote below the line (by candidate). You can end up with easily more than 60 boxes which you have to fill in preferentially. That is, you have to fill in every box with a number between 1 and x. This gets horribly tedious, but a must if you don't agree with where your appointed party is assigning their preferences.

PS: This is all from memory. I don't think I'm wrong, but it's possible.